Tamper respondent module

ABSTRACT

A tamper respondent module includes a basecard adapted to be inserted into a slot in a rack enclosure comprising at least one guide edge, at least one electrical coupler, a surface and at least one electronic component that contains information in an electronic format. In one example, an outer cover is coupled to the basecard and includes at least five sides. The outer cover is arranged in a covering relationship over the at least one electronic component. In another example, an anti-tamper apparatus is disposed between the outer cover and the surface. In another example, an anti-tamper circuit is electrically coupled to the at least one electronic component. In another example, a thermal frame is thermally coupled to the at least one electronic component.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.61/144,200, filed Jan. 13, 2009, the entire disclosure of which ishereby incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to an electronic module, andmore particularly, to an electronic module with anti-tamper features.

BACKGROUND OF THE INVENTION

Electronic modules often store highly sensitive information. Forexample, communication devices can store cryptographic keys, handheldscan store passwords and records, and embedded systems can hold sensitivealgorithms or information in memory. These devices can easily fall intothe wrong hands.

It is conceivable that an attack on a device or installation to obtaininformation may be mounted in several stages, including but not limitedto: 1. Removal of covers or covers and any encapsulant; 2.Identification of the location and function of security sensors; 3.Bypassing of sensors to allow access to the next layer of protection;and so on.

Higher levels of FIPS-140 security requires not just certifiedcryptography but also physical protection which is needed to protectagainst someone tampering with, or reverse engineering the security orpossibly getting access to information that is to be protected.

BRIEF SUMMARY OF THE INVENTION

The following presents a simplified summary of the invention in order toprovide a basic understanding of some example aspects of the invention.This summary is not an extensive overview of the invention. Moreover,this summary is not intended to identify critical elements of theinvention nor delineate the scope of the invention. The sole purpose ofthe summary is to present some concepts of the invention in simplifiedform as a prelude to the more detailed description that is presentedlater.

In accordance with one aspect of the present invention, a tamperrespondent module comprises a basecard adapted to be inserted into aslot in a rack enclosure comprising at least one guide edge, at leastone electrical coupler, a surface and at least one electronic componentthat contains information in an electronic format. An outer cover iscoupled to the basecard, comprising at least five sides with at leastone side being oriented generally parallel to the surface and spaced adistance from the surface. A plurality of the remaining sides isdisposed adjacent to the surface of the basecard. The outer cover isarranged in a covering relationship over the at least one electroniccomponent and at least partially over the surface of the basecard.

In accordance with another aspect of the present invention, a tamperrespondent module comprises a basecard adapted to be inserted into aslot in a rack enclosure comprising at least one guide edge, at leastone electrical coupler, a surface and at least one electronic componentthat contains information in an electronic format. A cover comprises aplurality of sides and being arranged in a covering relationship atleast partially over the surface of the basecard. An anti-tamperapparatus is disposed between the cover and the surface and is adaptedto have electromagnetic energy distributed therein. Damage to theanti-tamper apparatus results in a detectable variation of theelectromagnetic energy distribution of the anti-tamper apparatus. Ananti-tamper circuit is electrically coupled to the at least oneelectronic component and comprises a power source. The anti-tampercircuit is adapted to alter or destroy the information contained in theat least one electronic component in response to an indication that theanti-tamper apparatus is damaged.

In accordance with another aspect of the present invention, a tamperrespondent module comprises a basecard comprising a surface and at leastone electronic component that contains information in an electronicformat. An anti-tamper cover is arranged in a covering relationship atleast partially over the surface of the basecard. A removable outercover is arranged in a covering relationship over the anti-tamper cover.An anti-tamper apparatus is disposed between the removable outer coverand the surface, and is adapted to have electromagnetic energydistributed therein. Damage to the anti-tamper apparatus results in adetectable variation of the electromagnetic energy distribution of theanti-tamper apparatus. A thermal frame is thermally coupled to the atleast one electronic component and is at least partially covered by theanti-tamper cover. The thermal frame is adapted to transfer thermalenergy away from the at least one electronic component and towards anenvironment located outside of the anti-tamper cover.

It is to be understood that both the foregoing general description andthe following detailed description present example and explanatoryembodiments of the invention, and are intended to provide an overview orframework for understanding the nature and character of the invention asit is claimed. The accompanying drawings are included to provide afurther understanding of the invention and are incorporated into andconstitute a part of this specification. The drawings illustrate variousexample embodiments of the invention, and together with the description,serve to explain the principles and operations of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other aspects of the present invention will becomeapparent to those skilled in the art to which the present inventionrelates upon reading the following description with reference to theaccompanying drawings, in which:

FIG. 1 is an exploded view of one example tamper respondent module;

FIG. 2 is a partial sectional view of the tamper respondent module ofFIG. 1;

FIG. 3 is an exploded view of another example tamper respondent module;

FIG. 4 is a partial sectional view of the tamper respondent module ofFIG. 3;

FIG. 5 is a detail view of one example edge of the tamper respondentmodule of FIG. 3;

FIG. 6 is similar to FIG. 5, but shows another example edge; and

FIG. 7 is similar to FIG. 5, but shows yet another example edge.

DESCRIPTION OF EXAMPLE EMBODIMENTS

Example embodiments that incorporate one or more aspects of the presentinvention are described and illustrated in the drawings. Theseillustrated examples are not intended to be a limitation on the presentinvention. For example, one or more aspects of the present invention canbe utilized in other embodiments and even other types of devices.Moreover, certain terminology is used herein for convenience only and isnot to be taken as a limitation on the present invention. Still further,in the drawings, the same reference numerals are employed fordesignating the same elements.

The module in this application enables a modular physical anti-tamper(“AT”) security solution for electronics used in harsh environments forstandards based 3U and 6U VPX (VITA-46) formats as well as VITA-48formats not readily available with past commercial off the shelf (COTS)solutions. This application also enables systems integrators and theirend customers to achieve highest levels of FIPS-140-2, CC/EAL andrelevant US/UK/EU and Rest of World (RoW) security certifications asapplicable.

With increased threats to security breaches and reverse engineering ofsensitive defense electronics that may contain sensitive information inthe Theatre of Operations (e.g. in the Battlefield), there is acompelling need to protect sensitive electronics with advancedAnti-Tamper Perimeter Defense requirements. Combining this with advancedruggedization techniques following standards like VITA-46/48 that areneeded for electronics in harsh environments, capital expenses (CAPEX)and operational expenses (OPEX) can be considerably reduced whileprotecting military secrets whose price is invaluable. This is due tothe lower cost of acquiring readily available COTS-based Anti-TamperPerimeter Defense enabled technology in rugged formats and due to easierin-field maintenance and handling of defense electronics as a result ofincorporating standards like VPX (VITA-46/48).

This application can be referred to under the names “2LM-ATS” and/or“2LM-ATS Perimeter Defense” which stands for 2-Level MaintenanceAnti-Tamper Security. It is to be understood that this 2LM-ATSapplication can apply to all 3U/6U cards including VPX, VME, CPCI, VXSor future VITA standards, as well as custom bladed systems that leverageAT for commercial or harsh environments. This application can also applyto commercial or rugged air-cooled, conduction cooled or spray-cooledsolutions.

Anti-Tamper Perimeter Defense technology is expensive as it is usuallycustomized making it expensive for defense systems integrators toimplement in defense platforms within budget (high initial NRE forcustomizations and high recurring price points makes it an unfeasiblemass adoption technology). However, combining AT perimeter defensetechnology with the close adherence to the VITA-46/48 standards and3U/6U form-factors will enable lower costs and wider market adoptionprotecting invaluable embedded defense assets and information whichtranslates into exponential cost savings.

The advantages of modularity will allow for this design to be usedacross many 3U VPX and 6U VPX boards that have maintained the AT coverkeep-outs. The advantages of this re-use and common design will resultin lower costs for highly secure 3U and 6U VPX blades. Due to low costs,wider market acceptance of AT and security solutions will result inbetter protected data, intellectual property, and result in protectedsecrets that are most valuable in the government or defenseapplications.

Turning to the shown example of FIG. 1, one example tamper respondentmodule 10 is illustrated schematically. The tamper respondent module isillustrated as a 3U VPX/6U VPX blade board that is generally adapted tobe inserted into a rack enclosure that can house a plurality of similaror different modules. Though the following examples will be describedwith reference to such a 3U VPX/6U VPX blade board, it is to beunderstood that the instant application can apply similarly to variousother secure electronic modules, such as: financial systems ortransactions such as in banking, or in ticketing systems or machines;items concerned with measurement of a commodity, such as in electricitymeters for reading, recording or transmitting electricity, gas or water;or in many other items including but not limited to encryption devices,set-top boxes such as television set-top boxes, hand-held terminals,secure wireless communication devices, USB tokens, electronic memorydevices such as EPROM/PROM or RAM, secure authentication tokens, part ofPCMCIA card, or part of a motherboard or single board computer; militaryapplications such as weapon systems, intelligence systems, and/oraerospace control systems; and/or protecting biological material,mineralogical material or hazardous material, etc. Additionally, thetamper respondent module may be used as “smart containers” to protectitems, during storage or transport, from unauthorized access and torecord and/or provide notification of attempts at such unauthorizedaccess.

The tamper respondent module 10 includes a basecard 12, such as a VPXbasecard, with at least one electrical coupler, such as a VPX backplaneconnector 14. The backplane connector 14 can be rugged, and can includevarious features such as high speed signaling and/or electro-staticdischarge (ESD) protection to enable easy handling of line replaceablemodules. The backplane connector 14 can provide any or all of power,data communications, cooling, etc. The basecard 12 can also include VPXbackplane keying 16 adapted to mate into corresponding structure withina rack enclosure. The basecard 12 can also include anti-tamper keep-outsand can adhere to various military specifications and/or otherstandards, such as IEEE 1101.2. The basecard 12 can also include atleast one guide edge, such as a pair of guide edges, that can includestructure, such as a wedgelock 18 or the like, adapted to guide thebasecard 12 into a slot 20 in a rack enclosure 22 (see FIG. 5). Eitheror both side edges can include one or more wedgelocks 18, which canguide and may even secure the basecard 12 within the slot 20 of the rackenclosure. The basecard 12 can further include an optional independentpower source 13, such as via a battery, capacitor, etc. such that evenif power to the module 10 is interrupted, some or all of the internalcircuitry can still operate. Thus, three sides of the basecard 12 can beavailable to be inserted into a slot 20 in a rack enclosure 22.

As shown, the basecard 12 can include a surface 24, such as a topsurface thereof. The basecard includes at least one electronic component26 that contains information in an electronic format. The informationcan be analog, digital, or various combinations thereof, and can includevarious types of information, such as cryptographic keys, passwords,programs, records, sensitive algorithms or other information that it isdesired to protect. The electronic component 26 can store the data inanalog or digital memory, such as on hard disks, flash memory, RAM, ROM,or any other type of electronic memory as will be known to one of skillin the art.

The electronic component 26 can be electrically coupled to the basecard12 in various manners, and can be disposed variously within the module10. In one example, not shown, the electronic component 26 can bedisposed on one surface, such as surface 24, of the basecard 12. Inaddition or alternatively, the electronic component 26 can be disposedon a mezzanine card 28, such as an expansion mezzanine card (e.g.,PMC/XMC, custom, etc.) that is electrically coupled to the basecard 12and fits within the module 10. For example, the basecard 12 can includeone or more expansion sites 30 (e.g., PMC/XMC, custom, etc.) that areadapted to electrically couple the mezzanine card to the basecard 12.

One solution to protect the basecard 12 and mezzanine card(s) 28 (3U or6U) is to utilize an outer cover 32 coupled to the basecard. In oneexample, the outer cover 32 can be a 2-level (2LM) or 3-level (3LM)maintenance cover (VITA-48) adapted for a standards-based 3U or 6U VPX(VITA-46) blade. In addition or alternatively, a second outer cover 34can also be used. As shown, the outer cover 32 can be a top cover, whilethe second outer cover 34 can be a bottom cover, with the basecard 12located therebetween, although the descriptors “top” and “bottom” aremerely arbitrary. The outer cover(s) 32, 34 can be electricallyconductive or non-conductive, and can be formed from a generally rigidmaterial, such as metal, alloy, polymer, etc.

The VITA-48 top and bottom covers 32, 34 can be removably ornon-removably coupled to the basecard 12, such as by using mechanicalfasteners on one or more internal or external flanges 36 or possiblythrough coupling to the thermal frame (see below), adhesives, welding,etc. In one example, the assembled module 10 fits generally within aVITA-46/48 one inch pitch and should allow support for 2 LevelMaintenance. Still, tolerances beyond front of a standard VITA-48 covermay be approximately 5 to 10 mm, or various other values.

As shown in FIG. 1, the outer cover 32 can include a plurality of sides,such as at least five sides with at least one side 38 being orientedgenerally parallel to the surface 24 and spaced a distance from thesurface 24. In one example, the at least one side 38 can be a top sidethat is arranged generally parallel to the surface 24. The outer cover32 can further include a plurality of the remaining sides 40 extendingfrom the side 38 and being disposed adjacent to the surface 24 of thebasecard 12. For example, some or all of the remaining sides 40 can abutthe surface 24, or can be spaced a relatively small distance from thesurface 24. In another example, some or all of the remaining sides 40can indirectly abut the surface 24 through one or more intermediatestructures, such as spacers, seals, sensors, etc.

The outer cover 32 is arranged in a covering relationship over the atleast one electronic component 26 and at least partially over thesurface 24 of the basecard 12. For example, as shown in FIGS. 1-2, theouter cover 32 can be arranged in a covering relationship over the atleast one electronic component 26 and substantially completely over thesurface 24 of the basecard 12, though some portion of the side edgeshaving the wedgelock 18 and/or backplane connector 14 may still extendbeyond the outer cover 32 such that the basecard 12 can be inserted intothe rack enclosure 22. In yet another example, as shown in FIGS. 3-4,the outer cover 32 can be arranged in a covering relationship over theat least one electronic component 26 and only partially over the surface24 of the basecard 12 such that the outer cover 32 extends a distancebeyond an edge of the basecard 12 to form a space denoted in FIG. 3 asGAP_(FRONT) 42, as will be discussed more fully herein.

The outer cover 32 can have various features. It is to be understoodthat the second outer cover 34 can have similar or even differentstructure, features, etc. and that all discussion of the outer cover 32can similarly apply. In one example, the outer cover 32 can be opaquesuch that the at least one electronic component 26, and/or the basecard12 and/or other components, are not visible through the outer cover 32when it is coupled to the basecard 12. Thus, where the outer cover 32has five sides arranged in a covering relationship over the basecard 12,any electronic components (including electronic component 26, mezzaninecard 28, etc.), and other elements covered thereby are thus secure fromtampering and even from being visible without removal or penetration ofthe outer cover 32. In another example, the outer cover 32 can beadapted to protect the basecard 12 and any electronic components therein(including electronic component 26, mezzanine card 28, etc.) and otherelements covered thereby from electrostatic discharge (ESD). The outercover 32 can further provide protection against electro-magneticinterference, ultraviolet radiation, infrared radiation, radio waves,x-rays, gamma-rays, etc. For example, where the module 10 is designedfor two-level maintenance (2LM), the module 10 can thus be protectedfrom electrostatic discharge while being removed, replaced, handled,repaired, etc. in the field.

In yet another example, the outer cover 32 can include an ejector handle44 or the like for providing easy ejection (and/or possibly insertion)of the module 10 to/from the slot 20 of the rack enclosure 22. In stilla further example, the outer cover 32 can include tamper indicators 46,such as VITA-48 tamper detection status LED's, other audible or visibledisplays, or the like. The outer cover 32 may simply include holes,recesses, etc. to expose LED's or other tamper indication elements thatmay be on another circuit board, etc. Still, the outer cover 32 may notinclude any LED's, holes, recesses, etc. so as to further reducevulnerability or intrusion points. In still yet a further example, theouter cover 32 can include structure, compositions, coverings, coatings,encapsulant, surface features/finishes, etc. adapted to protect themodule 10 and any elements within the outer cover 32 from harshenvironments, and provide temperature, structural and/or vibrationsupport.

To provide another layer of security, the module 10 can further includeat least one sensor 48 forming an electrical circuit, where the sensor48 is adapted to detect removal of the outer cover 32 from the surface24. In one example, the at least one sensor 48 can be acircuit-completion pad (CCP) adapted to form both a physical andelectrical connection along some or all sides with the basecard 12, suchas via electrical communication with a corresponding CCP or the likedisposed on the basecard 12. As shown, the outer cover 32 can include aplurality of sensors 48, such as four sensors 48 with one on each flange36 (see FIG. 2). In another example, the sensor 48 can be generallycontinuous. The sensors 48 can indicate, directly or indirectly, anattempt to remove the outer cover 32, such as via the tamper indicators46, alternation or damage to the sensors 48, via internal circuitry,etc. Various alternative sensors can include an inter-mating connector,a switch, a proximity sensor, a capacitance sensor, a photosensitivedevice, and acoustically responsive device, a magnetically responsivedevice, and/or a radio frequency (RF) transponder.

To provide yet another layer of security, the module 10 can furtherinclude an anti-tamper circuit 50 electrically coupled to the at leastone electronic component 26 and comprising a power source 52. The powersource 52 can be independent from the remainder of the module 10, suchas via a battery, capacitor, etc. such that even if power to the module10 is interrupted, the anti-tamper circuit 50 can still operate. Theanti-tamper circuit 50 can be adapted to alter or destroy theinformation contained in the at least one electronic component 26, oreven other information and/or components of the module 10, in responseto an indication that the sensors 48 detect an attempt to open, remove,and/or penetrate outer cover 32 and the envelope that it forms over theinformation storage module of the electronic component 26. If the module10 is tampered with, various security measures or protocols can beimplemented via the anti-tamper circuit 50. For example, anti-tampercircuit 50 can be adapted to alter or destroy the information containedin the electronic component 26, such as by automatically erasing and/or“zero-ing out” some or all of the critical data, rendering the dataunusable, an alarm may be activated, and/or the electronic component 26can even be physically or electrically damaged. The anti-tamper circuit50 can be provided with factory settable or user-defined penaltyenforcement routines.

The anti-tamper circuit 50 can be disposed variously about the module10, but generally can be located under the outer cover 32 (or secondouter cover 34) so as to be protected thereby. In one example, as shownin FIG. 1, the anti-tamper circuit 50 can be a module element that isdisposed on a separate card coupled to the basecard 12 via matingconnectors 54, 56. In such an example, as more fully shown in FIG. 3,the outer cover 32 can extend a distance beyond an edge of the basecard12 to form a space denoted as GAP_(FRONT) 42, and the anti-tampercircuit 50 can be located within said space.

An alternative design is to have no extension beyond the front edge if acustom mezzanine or no mezzanine is populated on the basecard 12. Ifpopulated, the PMC or XMC site can be shifted away from the VITA-46 RT2connectors, such as by approximately 2 mm, to allow space for anyadditional covers on the top. For example, as shown in FIG. 4, theanti-tamper circuit 50B can be on a separate mezzanine card coupled tothe basecard 12 in a fashion similar to the other expansion mezzaninecard(s) 28. In another example, as shown in FIG. 2, the anti-tampercircuit 50C can be populated on the basecard 12. Multiple anti-tampercircuits, independent or in communication, can also be provided.

In addition or alternatively, and to provide yet another layer ofsecurity, the module 10 can further include an anti-tamper apparatus 60disposed between the outer cover 32 and the surface 24. Similarly, themodule 10 can include a second anti-tamper apparatus 62 disposed betweenthe second outer cover 34 and a second surface of the basecard 12. Theanti-tamper apparatus 60 is illustrated schematically in the drawings,and can have various sizes, geometries, orientations, distributions,etc. The anti-tamper apparatus 60 can be adapted to have electromagneticenergy distributed therein, and damage to the anti-tamper apparatus 60can result in a detectable variation of the electromagnetic energydistribution of the anti-tamper apparatus 60. In one example, theanti-tamper apparatus 60 can be in electrical communication with theanti-tamper circuit 50, such that the anti-tamper circuit 50 can alteror destroy the information contained in the at least one electroniccomponent 26 in response to an indication that the anti-tamper apparatus60 is damaged. In a further example, where the module 10 includes both asensor 48 (e.g., CCP sensor) and an anti-tamper apparatus 60, the thatthe anti-tamper circuit 50 can alter or destroy the informationcontained in the at least one electronic component 26 in response to anindication that the sensors 48 detect an attempt to open, remove, and/orpenetrate outer cover 32 and/or in response to an indication that theanti-tamper apparatus 60 is damaged. The anti-tamper apparatus 60 canwork together with, or even independent of, the sensors 48.

The anti-tamper apparatus 60, which can be a unitary element or evenformed of a plurality of elements, can generally surround the electroniccomponent 26 (e.g., information storage module) physically andelectronically as it is disposed between the outer cover 32 and thesurface 24. The anti-tamper apparatus 60 can have various structures,such as a resistive ink mesh, or possibly other security protectivecovering, such as a resistive wire approach, etc. Other examples caninclude a relatively thin, printed circuit board having a plurality ofelectrically-conductive tracks arranged in a manner difficult topenetrate without detection. In one example, as shown in FIGS. 1-2, theanti-tamper apparatus 60 can be an anti-tamper mesh that is coupled toand/or wrapped at least partially about the outer cover(s) 32, 34. Forexample, the anti-tamper mesh can be coupled to and/or wrapped generallyabout the exterior surface of the outer cover(s) 32, 34 and may extend adistance within the interior of the covers 32, 34. Alternatively, theanti-tamper mesh can be coupled to and/or wrapped generally about theinterior surface of the outer cover(s) 32, 34 and may extend a distanceoutwards towards the exterior of the covers 32, 34. The anti-tamper meshcan be removably coupled, or preferably non-removably coupled, to theouter cover(s) 32, 34 and/or basecard 12.

In one example, the anti-tamper mesh can uses a matrix of conductive inktracks to shield the enclosed electronics, sensitive data or encryptionkeys. For example, a sheet of the anti-tamper mesh can include layers offlexible material including a matrix of semi-conductive lines printed onthin insulating film. The matrix of lines forms a continuous conductorwhich is broken if attempts are made to penetrate the film. Theanti-tamper mesh can have a property known as the gap vulnerability(i.e., GAP_(ATC-MESH) 64) of the active mesh, which generally denotesthe width of an element that can be used to penetrate the anti-tampermesh without detection, such as by not causing detectable damage to themesh. The anti-tamper mesh can be further obscured from view byoverprinting, overlaminating, or otherwise covering the mesh so as tomake it opaque to both the visible and invisible spectrums (e.g., x-raysand the like).

For example, the detection circuit of the mesh can be monitored byopening the conductor at one point and measuring the resistance betweenthe two ends of the detection circuit. In other examples, various otherattributes can be monitored, such as voltage, current, capacitance, etc.The sheets can be folded and overlapped to create an enclosure ofwedge-shaped, cuboid or cube form (or any other desired geometry) toform an enclosure, and/or to wrap about an existing enclosure.

The anti-tamper mesh can require relatively low power, be non-metallic,and be resistant to being analyzed by X-rays. The anti-tamper mesh candetect physical intrusions by sensing attempts to open, remove, and/orpenetrate the envelope that it forms over the electronic component 26(e.g., information storage module). If the enclosure formed by theanti-tamper mesh is tampered with, various security measures orprotocols can be implemented, as discussed herein. For example, criticaldata can be automatically erased and/or “zeroed out,” rendering the dataunusable, and/or an alarm may be activated. Thus, the anti-tamper meshsystem can provide multi-level protection against physical intrusionsuch as puncture from drills, probes or the like, chemical attacks,and/or laser penetration.

To provide yet another layer of security, the module 10 can furtherinclude an auxiliary anti-tamper apparatus 66 coupled at least partiallyabout the anti-tamper circuit 50. Similar to the described anti-tamperapparatus 60, damage to the auxiliary anti-tamper apparatus 66 canresult in a detectable variation to a characteristic of the auxiliaryanti-tamper apparatus 66. The anti-tamper circuit 50 can be furtheradapted to alter or destroy the information contained in the at leastone electronic component 26 in response to an indication that theauxiliary anti-tamper apparatus 66 is damaged. Such an approach can bebeneficial to inhibit attempts to circumvent the anti-tamper circuit 50.The auxiliary anti-tamper apparatus 66 can similarly be a mesh (or otherstyle), and can have a property known as the gap vulnerability (i.e.,GAP_(ATM-MESH) 68) of the active mesh, which generally denotes the widthof an element that can be used to penetrate the auxiliary anti-tampermesh without detection.

As described herein, one solution to protect the basecard 12 and/ormezzanine card 28 (3U or 6U) is by located or attaching the protectiveanti-tamper mesh underneath the 2-level maintenance covers 32, 34(VITA-48) on a standards-based 3U or 6U VPX (VITA-46) blade module 10.However, there can be problems with this approach. For example, thecurrent VITA-48 covers can leave the sides vulnerable and by putting themesh on the inside only could allow one to drill from the top and peelthe mesh off. Furthermore, the anti-tamper mesh material by itself canbe vulnerable to harsh environments and should be protected.

Turning to FIGS. 3-4, one solution is to provide the module 10 withadditional, separate anti-tamper (AT) cover(s) 70, 72 (i.e., “top ATcover” 70 and “bottom AT cover” 72) that fit underneath the VITA-48outer covers 32, 34. The top and bottom AT covers 70, 72 could allowlocating, coupling, and/or wrapping the anti-tamper apparatus 60, 62(i.e., anti-tamper mesh) on the outside of these covers 70, 72 alongwith the idea of extending the sides 40 of the VITA-48 covers to providephysical protection on all five sides of the AT covers 70, 72 and toform as a fastening mechanism to keep the AT covers 70, 72 in place.Thus, in one example configuration the outermost layer includes theVITA-48 outer covers 32, 34, and the innermost layer includes the topand bottom AT covers 70, 72, with the anti-tamper apparatus 60, 62located therebetween.

From a business side, one conventional problem of including anti-tampertechnology in COTS electronics was that each design had to be custom,making the end product very expensive. The idea here is to keep the ATcovers 70, 72 generally within the VITA-46/48 standards and make themre-useable (or re-useable with slight modifications) across VPX 3U and6U cards. This modularity should drive lower recurring costs and/orwider acceptance of this technology.

This application leverages the anti-tamper apparatus technology, andconcept of multi-level (AT and VITA-48) top and bottom covers 32, 34,70, 72. While conventional top and bottom keep-out lids are designed forcommercial (i.e., non-rugged) environments, the top and bottom covers32, 34, 70, 72 described herein are modified to meet the needs for harshenvironments (i.e., Military/Defense environments). Additionally, theanti-tamper covers 70, 72 are provided for interfacing with theanti-tamper apparatus 60, 62 (i.e., anti-tamper mesh), and a thermaldissipation scheme is employed. Thus, the VITA-48 covers 32, 34, and theAT covers 70, 72 with the anti-tamper apparatus 60, 62, provide asecurity boundary (aka. Perimeter Defense) around a 3U or 6U VPX (VITA46.0) conduction cooled card (IEEE 1101.2) to protect secureinformation.

As shown in FIGS. 3-4, the anti-tamper cover(s) 70, 72 can be arrangedin a covering relationship at least partially over the surface 24 of thebasecard, and are disposed between the outer cover(s) 32, 34 and thebasecard 12. Thus, the anti-tamper cover(s) 70, 72 are generally smallerthan the outer cover(s) 32, 34 to a desired degree. The anti-tampercover(s) 70, 72 can be removably or non-removably coupled to thebasecard 12, such as by using mechanical fasteners on one or moreinternal or external flanges 74 or possibly through coupling to thethermal frame (see below), adhesives, welding, etc. Though theanti-tamper cover(s) 70, 72 are generally smaller than the outercover(s) 32, 34, the respective flanges 36, 74 can be arranged to atleast partially overlap such that the same coupling method can be usedto couple the outer cover(s) 32, 34 and the anti-tamper cover(s) 70, 72to the basecard 12. Alternatively, the flanges 36, 74 can be completelyseparate to permit removal and/or replacement of the outer cover(s) 32,34 (i.e., in a predetermined way without triggering a security event)without removal and/or replacement of the anti-tamper cover(s) 70, 72.

The anti-tamper cover(s) 70, 72 can include a plurality of sides, suchas at least five sides with at least one side being oriented generallyparallel to the surface 24 and spaced a distance from the surface 24,such as a top side. The anti-tamper cover(s) 70, 72 can further includea plurality of the remaining sides being disposed adjacent to thesurface 24 of the basecard 12. For example, some or all of the remainingsides can abut the surface 24, or can be spaced a relatively smalldistance from the surface 24. In another example, some or all of theremaining sides can indirectly abut the surface 24 through one or moreintermediate structures, such as spacers, seals, sensors, etc.

Additionally, to provide even another layer of security, the module 10can further include at least one sensor 76 forming an electricalcircuit, such as the previously described CCP or other sensor, adaptedto detect removal of the anti-tamper cover(s) 70, 72 from the surface24. In one example, the at least one sensor 76 can form both a physicaland electrical connection along some or all sides with the basecard 12,such as via electrical communication with a corresponding CCP or thelike disposed on the basecard 12, or even a physical and electricalconnection with the sensor(s) 48 (i.e., CCP's) of the outer cover(s) 32,34. As shown, the anti-tamper cover(s) 70, 72 can include a plurality ofsensors 76, such as four sensors 76 with one on each flange 74 (see FIG.3). In another example, the sensor 76 can be generally continuous. Thesensors 76 can indicate, directly or indirectly, an attempt to removethe anti-tamper cover(s) 70, 72, such as via the tamper indicators 46,alternation or damage to the sensors 76, via internal circuitry, etc.

In the shown example, the anti-tamper cover(s) 70, 72 and can have aplurality (4 to 5 or more) of inset bosses to enable contact between theanti-tamper apparatus 60, 62 and the basecard 12 through the CCP's toform both a physical and electrical connection along some or all sides.Thus, the anti-tamper cover(s) 70, 72 and anti-tamper apparatus canprovide secure protection while also allowing at least two or threesides of the basecard 12 to be available to slide into/out of a rackenclosure 22 (i.e., mounting chassis), and at least one side availableto electrically interface (i.e., via the backplane connector 14) withthe backplane of the rack enclosure 22. The bottom anti-tamper cover 72(with optional anti-tamper mesh) can sit on the bottom side of thebaescard 12 and forms physical and electrical connections with similarinset bosses on the bottom side of the basecard 12. In a furtherexample, as shown in FIG. 4, the front side of the anti-tamper covers70, 72 (e.g. where the front of the card is) can extend beyond the frontof the card and make contact with each other. An outward facing lip oralternative flanges can be provided to allow one to fasten (e.g.,mechanical fasteners 73, adhesives, welding, etc.) the anti-tampercovers with the VITA-48 outer covers and can also provide a path foroptional LED's 75 or the like via a flying lead or similar structure,which can provide device status information, alarm indication, etc. Thisfront lip can have one or more CCPs (not shown) that enable electricalconnectivity between the top and bottom anti-tamper mesh circuits.

In one example, the anti-tamper apparatus 60, 62 can be at leastpartially disposed between the outer cover(s) 32, 34 and the anti-tampercover(s) 70, 72, respectively. For example, as shown in FIGS. 3-4, theanti-tamper apparatus 60, 62 can be coupled to, and/or wrapped about(interior an/or exterior), either or both of the outer cover(s) 32, 34and the anti-tamper cover(s) 70, 72, or can be freely-floatingtherebetween. In addition or alternatively, the anti-tamper apparatus60, 62 can be at least partially disposed between the anti-tampercover(s) 70, 72 and the basecard 12. In yet another example, ananti-tamper apparatus can be disposed between the outer cover(s) 32, 34and the anti-tamper cover(s) 70, 72, and also between the anti-tampercover(s) 70, 72 and the basecard 12 to provide even further multiplelayers of security.

As an additional feature, any or all of the outer cover(s) 32, 34 andthe anti-tamper cover(s) 70, 72 can be further electrically coupled tothe basecard 12 or any mezzanine card(s) 28. For example, as shown inFIG. 3, the anti-tamper cover(s) 70, 72 can include a flying lead 78 orthe like to be electrically coupled to the basecard 12 or any mezzaninecard(s) 28, including the anti-tamper circuit 50. This can be useful asthere may be a PMC, XMC, or custom card connected to the basecard 12 PWBthat may inhibit the outer cover(s) 32, 34 and/or anti-tamper covers 70,72 to connect to the basecard PWB. The GAP_(FRONT) 42 can alsofacilitate using the flying 78 leads to connect to security circuitry,etc.

While the anti-tamper cover(s) 70, 72 can protect the module 10 and anyelements within the outer cover(s) 32, 34 (including any anti-tamperapparatus) from harsh environments, and further provide temperature,structural and/or vibration support, the thermal energy (e.g., heat)generated by the basecard 12 (or even transferred to the basecard 12from an external source) can be difficult to remove. For example,thermal energy generated by the at least one electronic component 26 canbecome trapped within the multiple layers of covers 32, 34, 70, 72.

The problem of dissipating heat while enabling structural integrity thatcan withstand extreme environments, while also physically encapsulatingand protecting sensitive electronics, security keys, sensitivecryptographic algorithms and other sensitive data in a secureanti-tamper enabled 5 (or 10) sided Perimeter Defense module, isdifficult. The problem is made even further difficult by also making themodule 10 capable of protecting against ESD and protecting theelectronic boundary (mesh) against harsh environments, while adhering to3U/6U VPX (VITA46/48) bladed standards and while maintaining electroniccontact between the anti-tamper enabled covers and the 3U/6U real-estatelimited VPX basecards under extreme shock and vibration scenarios foundin harsh defense environments.

Thus, the module 10 can further include a thermal frame 80 that is atleast partially enclosed by the outer cover(s) 32, 34 and is thermallycoupled (directly or indirectly) to the at least one electroniccomponent 26. The thermal frame 80 can be adapted to transfer thermalenergy away from the at least one electronic component 26 and towards anenvironment located outside of the outer cover(s) 32, 34, such as to therack enclosure 22 or other external environment. The thermal frame 80can be unitary or even formed of a plurality of connected or separateelements, and can provide cooling as well as structural and vibrationsupport for the basecard 12.

The top anti-tamper cover 70 can sit on the thermal frame 80 or directlyon a portion of the basecard 12 that is designed to dissipate heat. Thethermal frame 80 or a heat dissipating PCB is used to properly dissipateheat out of the AT and VITA-48 enclosures. As discussed, heat generatedby the base card PCB and/or PMC mezzanine card can be restricted (i.e.,trapped) from dissipating due to the inclusion of additional layersand/or covers and/or with the use of the anti-tamper apparatus (e.g.,mesh wrap) and the anti-tamper cover(s) 70, 72. Thus, the thermal frame80 and/or a properly design PCB can provide a conductive coolingsolution for either or both the base card PCB and/or PMC mezzanine card,as well as for the at least one electronic component 26.

Turning to FIGS. 5-7, schematic detail views are illustrated of oneexample edge of the module 10. The thermal frame 80 can be in direct orindirect thermal contact with the basecard 12 PCB (or components coupledthereto) and/or can extend between the basecard 12 PCB and the optionalPMC mezzanine card 28, and can also extend through the VITA-48 covers tothe outside environment. It is to be understood that while described asa conduction cooling solution, the thermal frame can be adapted toprovide other types of cooling, including convective cooling, activecooling, liquid/gaseous cooling, air-cooling, spray-cooling, etc.

In one example, as shown in FIG. 5, dissipation of heat out of themodule 10 can be accomplished by VIA's 82 of the basecard 12. Forexample, as shown, the thermal frame 80 can be thermally coupled to thebasecard 12 about the VIA's 82 such that the thermal energy can flowfrom out of the module through the VIA's 82 and into the externalenvironment, such as to the wedgelock's 18 and eventually to the slot 20of the rack enclosure 22.

In another example, as shown in FIG. 6, dissipation of heat out of themodule 10 can be accomplished by a modified thermal frame 80B thatextends at least partially underneath the outer cover 32 and anti-tampercover 70. Thus, the thermal frame 80B extends a distance beyond theouter cover 32.

The modified thermal frame 80B can be thermally coupled and in directthermal contact with the external environment, such as to thewedgelock's 18 and eventually to the slot 20 of the rack enclosure 22.Additionally, heat can also be dissipated through VIA's 82 of thebasecard 12 (e.g., to the wedgelock's 18 or other structure of the rackenclosure 22).

In yet another example, as shown in FIG. 7, dissipation of heat out ofthe module 10 can be accomplished by another modified thermal frame 80Cthat extends at least partially underneath the outer cover 32 andanti-tamper cover 70. Thus, the thermal frame 80B extends a distancebeyond the outer cover 32. The modified thermal frame 80C can bethermally coupled and in even greater direct thermal contact with theexternal environment, such as to the wedgelock's 18 or even directly tothe slot 20 of the rack enclosure 22.

Additionally, heat can be dissipated through VIA's 82 of the basecard 12(e.g., to the wedgelock's 18, the modified thermal frame 80C, and/orother structure of the rack enclosure 22). Also as shown, the basecard12 may be modified to be relatively shorter to increase thesize/geometry of the modified thermal frame 80C and facilitate heatflow.

Where the thermal frame 80, 80B, 80C extends at least partiallyunderneath the outer cover 32 and anti-tamper cover 70, care should betaken to avoid creation of a vulnerable intrusion point. Thus, the spaceor gap created by use of a thermal frame 80, 80B, 80C can be referred toas the GAP_(THERMAL-NECK) 84, 84B, 84C. In one example, the gap orspacing between the top anti-tamper cover 70 and the top surface 24 ofthe basecard 12 should be less than the gap vulnerability (i.e.,GAP_(ATC-MESH) 64) of the active mesh. In other words, theGAP_(THERMAL-NECK) 84, 84B, 84C should be less than or equal to theGAP_(ATC-MESH) 64. Similarly, wherever the anti-tamper apparatus 60 isused, the gap or spacing between the adjacent cover, referred to as theGAP_(COVER) 86, 86B, 86C and the basecard 12 should be less than theminimal vulnerability gap on the mesh. In other words, the GAP_(COVER)86, 86B, 86C should be less than or equal to the GAP_(ATC-MESH) 64.Finally, where an auxiliary anti-tamper apparatus 66 is used to protectthe anti-tamper circuit 50, such as where the anti-tamper circuit 50 islocated near an edge of the cover(s), the GAP_(ATM-MESH) 68 should beless than or equal to the GAP_(ATC-MESH) 64.

Generally, the instant application can provide various benefits overconventional modules in various manners discussed above, and also in thefollowing manners, including, but not limited to: anti-tamper coversbeing embedded to facilitate support for rugged environments (i.e.,temperature, shock, vibration, electrical/magnetic interference,electrostatic discharge, etc.); outer covers and/or anti-tamper coversfitting within VITA-46 3U and 6U form factors (vs. conventional covers);anti-tamper covers sitting on a thermal frame or on the basecard 12 PWBitself; extended outer covers 32, 34 can be used to protect and providestiffness for the anti-tamper apparatus 60 for harsh environments; andouter covers 32, 34 can fasten the anti-tamper covers 70, 72 in placewith screws and possibly sealant (versus “clamps” directly on theanti-tamper cover that can be used for commercial solutions).Additionally, the thermal frame 80 and/or the basecard 12 PWB can beused to properly dissipate heat utilizing various thermal designmethods.

The invention has been described with reference to the exampleembodiments described above. Modifications and alterations will occur toothers upon a reading and understanding of this specification. Examplesembodiments incorporating one or more aspects of the invention areintended to include all such modifications and alterations insofar asthey come within the scope of the appended claims.

1. A tamper respondent module, comprising: a basecard adapted to beinserted into a slot in a rack enclosure comprising at least one guideedge, at least one electrical coupler, a surface and at least oneelectronic component that contains information in an electronic format;and an outer cover coupled to the basecard, comprising at least fivesides with at least one side being oriented generally parallel to thesurface and spaced a distance from the surface, and a plurality of theremaining sides being disposed adjacent to the surface of the basecard,the outer cover being arranged in a covering relationship over the atleast one electronic component and at least partially over the surfaceof the basecard.
 2. The tamper respondent module of claim 1, wherein theouter cover is opaque such that the at least one electronic component isnot visible when the outer cover is coupled to the basecard.
 3. Thetamper respondent module of claim 1, wherein at least one of theplurality of sides disposed adjacent to the surface of the basecardfurther comprises a flange adapted to couple said side to the surface.4. The tamper respondent module of claim 1, further comprising at leastone sensor forming an electrical circuit, the sensor being adapted todetect removal of the outer cover from the surface.
 5. The tamperrespondent module of claim 1, further comprising an anti-tamperapparatus disposed between the outer cover and the surface, and adaptedto have electromagnetic energy distributed therein, damage to theanti-tamper apparatus resulting in a detectable variation of theelectromagnetic energy distribution of the anti-tamper apparatus.
 6. Thetamper respondent module of claim 5, further comprising an anti-tampercover arranged in a covering relationship at least partially over thesurface of the basecard and being disposed between the outer cover andthe basecard.
 7. The tamper respondent module of claim 6, wherein theanti-tamper apparatus is at least partially disposed between the outercover and the anti-tamper cover.
 8. The tamper respondent module ofclaim 6, wherein the anti-tamper apparatus is coupled to at least one ofthe outer cover and the anti-tamper cover.
 9. The tamper respondentmodule of claim 5, further comprising an anti-tamper circuitelectrically coupled to the at least one electronic component andcomprising a power source, the anti-tamper circuit being adapted toalter or destroy the information contained in the at least oneelectronic component in response to an indication that the anti-tamperapparatus is damaged.
 10. The tamper respondent module of claim 9,further comprising an auxiliary anti-tamper apparatus coupled at leastpartially about the anti-tamper circuit, damage to the auxiliaryanti-tamper apparatus resulting in a detectable variation to acharacteristic of the auxiliary anti-tamper apparatus, and wherein theanti-tamper circuit is further adapted to alter or destroy theinformation contained in the at least one electronic component inresponse to an indication that the auxiliary anti-tamper apparatus isdamaged.
 11. The tamper respondent module of claim 1, further comprisinga thermal frame that is at least partially enclosed by the outer coverand thermally coupled to the at least one electronic component, thethermal frame being adapted to transfer thermal energy away from the atleast one electronic component and towards an environment locatedoutside of the outer cover.
 12. The tamper respondent module of claim11, wherein the thermal frame extends a distance beyond the outer coverand is thermally coupled to external structure located within theenvironment outside of the outer cover.
 13. A tamper respondent module,comprising: a basecard adapted to be inserted into a slot in a rackenclosure comprising at least one guide edge, at least one electricalcoupler, a surface and at least one electronic component that containsinformation in an electronic format; a cover comprising a plurality ofsides and being arranged in a covering relationship at least partiallyover the surface of the basecard; an anti-tamper apparatus disposedbetween the cover and the surface and adapted to have electromagneticenergy distributed therein, damage to the anti-tamper apparatusresulting in a detectable variation of the electromagnetic energydistribution of the anti-tamper apparatus; and an anti-tamper circuitelectrically coupled to the at least one electronic component andcomprising a power source, the anti-tamper circuit being adapted toalter or destroy the information contained in the at least oneelectronic component in response to an indication that the anti-tamperapparatus is damaged.
 14. The tamper respondent module of claim 13,wherein the cover comprises at least five sides with at least one sidebeing oriented generally parallel to the surface and spaced a distancefrom the surface, and a plurality of the remaining sides being disposedadjacent to the surface of the basecard, the cover being arranged in acovering relationship over the at least one electronic component. 15.The tamper respondent module of claim 13, further comprising at leastone sensor forming an electrical circuit, the sensor being adapted todetect removal of the cover from the surface, the anti-tamper circuitbeing adapted to alter or destroy the information contained in the atleast one electronic component in response to an indication that the atleast one sensor detects removal of the cover from the surface.
 16. Thetamper respondent module of claim 13, further comprising a thermal framethat is at least partially enclosed by the cover and is thermallycoupled to the at least one electronic component, the thermal framebeing adapted to transfer thermal energy away from the at least oneelectronic component by conduction and towards an environment locatedoutside of the anti-tamper cover.
 17. A tamper respondent module,comprising: a basecard comprising a surface and at least one electroniccomponent that contains information in an electronic format; ananti-tamper cover arranged in a covering relationship at least partiallyover the surface of the basecard; a removable outer cover arranged in acovering relationship over the anti-tamper cover; an anti-tamperapparatus disposed between the removable outer cover and the surface,and adapted to have electromagnetic energy distributed therein, damageto the anti-tamper apparatus resulting in a detectable variation of theelectromagnetic energy distribution of the anti-tamper apparatus; and athermal frame that is thermally coupled to the at least one electroniccomponent and being at least partially covered by the anti-tamper cover,the thermal frame being adapted to transfer thermal energy away from theat least one electronic component and towards an environment locatedoutside of the anti-tamper cover.
 18. The tamper respondent module ofclaim 17, further comprising an anti-tamper circuit electrically coupledto the at least one electronic component and comprising a power source,the anti-tamper circuit being adapted to alter or destroy theinformation contained in the at least one electronic component inresponse to an indication that the anti-tamper apparatus is damaged. 19.The tamper respondent module of claim 17, wherein the removable outercover comprises at least five sides with at least one side beingoriented generally parallel to the surface and spaced a distance fromthe surface, and a plurality of the remaining sides being disposedadjacent to the surface of the basecard, wherein the outer cover isopaque such that the at least one electronic component is not visiblewhen the outer cover is coupled to the basecard.
 20. The tamperrespondent module of claim 17, further comprising: a second anti-tampercover arranged in a covering relationship at least partially over asecond surface of the basecard; a second outer cover arranged in acovering relationship over the second anti-tamper cover; and a secondanti-tamper apparatus disposed between the second outer cover and thesecond surface, and adapted to have electromagnetic energy distributedtherein, damage to the second anti-tamper apparatus resulting in adetectable variation of the electromagnetic energy distribution of thesecond anti-tamper apparatus.